Introducing New HSD Premium Partner: Emproof
Emproof recently became a part of the Security Delta (HSD) security cluster as a premium partner. Emproof delivers security for embedded systems, using unique techniques that protect algorithms and data while securing the entire device. Their solution is aimed at preventing reverse engineering, to secure intellectual property and protect against exploitation attacks. To get a feeling for their expertise, services, and ambitions, we sat down with Brian Kelly, CEO of the Eindhoven-based company.
To begin, can you tell us how Emproof came to be?
Emproof was founded in Germany by three PhD’s: Marc Fyrbiak, Tim Blazytko and Philipp Koppe. They were experts in embedded security and were doing research on vulnerabilities of embedded devices. They each had different areas of expertise: the interface between hardware and software, reverse engineering, and binary code. You could say they were hackers at heart, all approaching the security issue from different perspectives.
Together they were able to break into almost everything, and wondered why it was so easy. So, they asked themselves: “How would we stop ourselves from getting into these systems?” They came up with some ideas and were given a grant by the German governments to develop a product based on their academic concepts. They did, and they founded an actual company, and assembled a team. That’s when I got involved, through an introduction from one of their professors, who is the head of the Max Planck Institute for Cybersecurity.
So Emproof has German origins. How did you end up in the Netherlands?
We moved to the Netherlands in December 2021, because we saw companies here as more investor friendly. We chose Eindhoven because of the technical university here, and the semiconductor industry ties. I set up residency here in the Netherlands as the resident director, and we’re starting to hire here this year. The engineering team is still in Germany, but we’re going to bring in sales and administrative business support this first quarter, so we’re expanding here.
Although Eindhoven is a great city with lots of opportunity, If we had to choose today, I would move to the Hague. HSD is there, as well as many governments, all the government response and action on security takes place there. Our lead investor, TIIN Capital, is there as well. They invested in 2022. We have two other investors as well, a French investor called Cyber Impact, and a German investor called HTGF.
Long story short, we are now based here, with investors from three different European countries. Our headquarters are in Eindhoven, the engineering office is in Germany, and our sales lead is in the UK. I’m an Irish citizen myself, so we’re very internationally focused.
What kind of proof and services can Emproof offer the security cluster?
Our expertise is in the embedded environment. Anything that is running firmware on the chip level is our field. Our products are less limiting than other security products. If you look at code, you often need an 100x increase in terms of lines of code to protect it effectively. With 10 lines of code, you’d need 1000 lines of additional code to provide security for it. In larger environments, such as servers, laptops, or even modern phones, you usually have a lot of computing power, so it shouldn’t pose too much of a problem.
When looking at embedded environments, every megabyte of memory counts though, and overhead becomes a big issue. In many cases, that 100x overhead is hard to afford. What we as Emproof can do, is offer the same level of security, even better in some cases, with only 10 to 20% of that overhead. If a company approaches us with a situation where they only have 5% available, we won’t face the same challenge others would. We can work with that.
Another thing our product is great for is hardening machine learning and AI models. Open-source AI models are transparent, which you could see as secure as anyone can verify it, but it also shows vulnerabilities. That’s why companies usually invest a lot into their proprietary algorithms, to protect them from that reverse engineering and stop other companies from copying them. We can help companies protect the IP itself, and their trade secrets.
What are you hoping to get out of the HSD partnership and the cluster?
You use the word partnership. That’s really what we're looking for. We want to gain access to markets and get more involved in the Dutch marketplace. We want the companies there to get acquainted with us. Getting an idea of what we could contribute to that market in terms of support is important to us as well. An example is a new EU security standard coming out that includes embedded systems. We are hoping that we can contribute there.
I remember the early days of internet banking when many didn’t want to try it, because they didn’t trust their networks. Now it’s a lot safer to do internet banking and a lot of that came from government regulation. When private companies coming up with new solutions fall short, their customers will force them to adapt, or the government will. We would like to get more insight into that dialogue, and how we can play a role.
Currently there’s a lot of connected devices, but it’s nothing compared to what it will be in 10 years. We’re still early and want to get the word out that each device connected to a network is a potential vector for attack.
Would you say you see that as the biggest challenge in terms of security?
I think embedded security is a growing piece of the puzzle, since everything is so connected these days. We see operating systems taking on more responsibility or embedded software taking on a bigger role in computing that is not protected. Companies often say that’s because customers aren’t asking for it. It’s a catch 22, because they aren’t asking for it, since the companies say it’s safe. From our small piece of the world, that's where we see the biggest security issues. We can get into a much deeper conversation over whether it’s criminal elements, or state actors. In the end I think it all still comes down to data privacy, and the balance between privacy and societal security.